Google tricked Apple’s Safari privacy settings, tracked users: report

Google is in the fire once again. The Wall Street Journal reports that Google used a special code to bypass the default privacy settings on Apple’s iPhone browser and Safari on PCs. The code allowed Google to track Web users, and send that information to the company’s DoubleClick ad network.

Discovered by Stanford researcher Jonathan Mayer, the code’s tracking feature was a technical side-effect, which allowed users to sign into Google+, and click “+1” buttons on DoubleClick ads, which in turn shared those ads with friends by posting a message on those users Google+ profiles.

Safari, on both iOS devices and on Macs, is set to automatically block installation of third-party cookies used to track users. (Other types of cookies, like those that tell the computer that a user has visited a website before, are allowed.) Google’s code secretly submitted a form that made Safari behave as though the user had authorized the cookie installation.

After being contacted by WSJ about the code’s tracking functionality, Google immediately disabled the code. Still, the company asserts that the situation is not as bad as the paper makes it out to be.

“The Journal mischaracterizes what happened and why,” Google said in a statement. “We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

Additionally, Google’s European Director of Communications, Rachel Whetstone, said the code was actually intended to keep users’ anonymous when Safari was connecting with Google’s servers, and that the tracking was entirely unintentional.

“We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers,” she said. “It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”

Part of the reason the code was able to operate in the way that it did is due to an oddity in how Safari treats cookies. Once a site has installed a single cookie onto a device, Safari then makes it easy for the site to install additional cookies. This enables sites like Facebook and Google+ to install cookies via the “Like” or “+1” buttons that are installed on countless sites across the Web, as long as a user has actually visited one of these sites first.

Google has been repeatedly criticized for playing loose with user privacy. Just recently, the company came under fire for changing its privacy policy to allow it to more easily share information about users between its various products. The European Union has pushed for Google to overturn these changes. The Electronic Privacy Information Center last week sued the US Federal Trade Commission, in attempt to compel the government to force Google to change its privacy policy. And last year, in a settlement (pdf) with the FTC, Google was forced to promise that it would not “misrepresent” its privacy practices. Were it to do so, Google would have to pay a fine of $16,000 per violation, per day. It is not yet known whether the FTC considers Google’s use of this code a violation.

Update:Consumer Watchdog advocacy group has formally requested that the FTC investigate whether the code’s circumvention of Safari privacy settings constitutes a violation of Google’s settlement. See the request here: pdf.

In addition to Google, the Stanford study found that three other online ad firms were using similar codes to bypass Safari’s privacy settings: Vibrant Media, WPP’s Media Innovation Group, and Gannett’s PointRoll.

An Apple spokesperson told WSJ that it is aware that companies are circumventing Safari’s privacy settings, and is “working to put a stop to it.”